1. Field of the Invention
The present invention relates generally to network security. More particularly, the present invention relates to prospective client identification through malware attack detection.
2. Background Art
Presently, malicious software (i.e., malware), can attack various devices via a network. For example, malware may include any program or file that is harmful to a computer user, such as computer viruses, worms, Trojan horses, spyware, or any programming that gathers information about a computer user without permission. Malware may be automated (e.g., a bot) or employed by a hacker (i.e., a cracker). Various processes and devices have been employed to prevent the problems that malware can cause.
For example, client devices often comprise malware scanning software that scans a particular client device for malware. The scanning may be performed based on a schedule specified by a user associated with the particular device or a system administrator. Unfortunately, by the time the malware is detected by the scanning software, some damage on the particular client device as well as others on the network may have already occurred.
One option for detecting malware is a honey pot. A honey pot is a computer system on the Internet that is expressly set up to attract and “trap” a malware attack (e.g., such as that perpetrated by a hacker.) In one example, the honey pot records the activities of the malware attack. Disadvantageously, as the honey pot is being attacked, so too may other users' computer systems. Thus, other users' computer systems may be harmed while the honey pot determines the nature of the malware invading the honey pot's own computer system.
Further, the honey pot may be only capable of detecting some kinds of malware attacks but not others. In one example, a honey pot may be capable of detecting a worm attempting to infect a computer by not the infection of a bot or the command and control signals transmitted between the bot and a botnet server.
Another disadvantage of the “honey pot” approach is the passive nature of the trap. Generally, honey pots comprise a static IP address. The user of the honey pot tries to attract attention to make the honey pot an attractive target. The user of the honey pot can reduce security on the honey pot as to allow attackers access so as to track the attack, record the attack vector (i.e., vulnerability exploited to attack the honey pot,) and record the payload (i.e., damage caused by the attack.) Unfortunately, if the attacker is aware of the honey pot, the honey pot can be easily avoided by simply not attacking the honey pot's IP address.
Further, some attacks include scans for computers and open ports. A honey pot's existence and vulnerability to such a scanning attack may be lost in a list of other potential targets. As such, the honey pot may not be attacked, but rather, the attacker may select other computers containing valuable data.
Unfortunately, when one computer on a network becomes infected with malware, other computers on the same network may be similarly afflicted. For example, when a computer is infected with a program performing an unauthorized activity, it is often a result of unpatched software and/or poor security. Multiple computers on the same network may share the unpatched software or weak security settings. As a result, when a malware attack is detected, it is evidence that there may be many infected computers. Information contained within servers or computers on a network may be increasingly at risk as the number of infected computers on the network grows.
In another example, a network is often managed by the same responsible party. There may be many responsible parties. In some examples, the party may own the computers or network outright. The party may be contractually responsible for the maintenance of the computers, be contractually responsible for computer security, or be the internet service provider responsible for the network coupled to the computer. If a party does not perform the necessary precautions, all of the computers of a network may be at risk. As a result, there is a need for businesses and organizations purchase security related services and/or products. Further, there is a growing need for businesses and organizations to be alerted to malware or a possible malware attack coming from or transmitted to their network.